The Office of Civil Rights (OCR) at the U.S. Department of Health and Human Services recently published its findings from audits conducted in 2016 and 2017 of covered entities' and business associates' compliance with selected provisions of HIPAA's Privacy, Breach Notification, and Security Rules. The audits included health care providers, health plans, health care clearinghouses, and business associates. In short, OCR found material noncompliance with HIPAA's Notice of Privacy Practices (NPP), right of access, breach notification, and security risk analysis and risk management requirements.

Key findings from the report include:

  • Content of NPP. Of the covered entities audited, only 2% fully met the content requirements of a valid NPP. Most covered entities failed to provide required content related to individual rights or, in some cases, failed to provide an NPP written in plain language.

  • Prominently Posted NPP. Most covered entities met the requirement to post their NPP on their website prominently. Still, some covered entities failed to meet the "prominently posted" requirement by failing to post the NPP directly on or accessible from the homepage or in some cases using hyperlinks which could confuse the individual, such as hyperlinks titled "policy" or "HIPAA" or including multiple hyperlinks titled "Privacy Policy," which would connect a user to two different privacy guidelines.      

  • Right of Access. Covered entities are required to provide individuals with access to the protected health information (PHI) the covered entity maintains about the individual in a designated record set. However, almost all covered entities failed to show that they were correctly implementing procedures to ensure the right of access. OCR found reoccurring themes in its audit, including inadequate documentation of access requests and insufficient, inadequate, incorrect, and in some cases, a lack of policies related to providing access.    

  • Breach Notification Rule.  A majority of covered entities audited issued breach notifications to individuals within the 60-calendar day regulatory timeframe provided by the HIPAA Breach Notification Rule. However, most covered entities submitted notification letters to individuals that were missing required content. OCR noted that the most frequently omitted required content was a description of the types of unsecured PHI involved in the breach, steps the individual should take to protect themselves from potential harm caused by the breach, inadequate contact information, and an explanation of the entity's investigation and mitigation activity. 

  • Security Risk Analysis.  OCR found that less than 20% of covered entities and business associates audited fulfilled their regulatory responsibilities to safeguard electronic PHI (ePHI) through risk analysis activities. OCR noted that covered entities and business associates generally failed to identify and assess the risks for all ePHI, develop and implement policies and procedures for conducting a risk analysis, identify threats and vulnerabilities in light of their potential impact to ePHI, review and periodically update a risk analysis in response to changes or events which may impact ePHI, and conduct a risk analysis consistent with policies and procedures.

  • Risk Management Standards. OCR found that because both covered entities and business associates failed to conduct appropriate risk analyses, as discussed above, they were then unable to connect their security plans to the management of identified risks. An overwhelming percentage of covered entities (94%) and business associates (88%) failed to implement appropriate risk management activities.

The areas audited above are likely to draw closer scrutiny from investigators during breach and individual complaint investigations. Therefore, covered entities and business associates should audit their privacy policies and practices and, at a minimum, consider the following takeaways from OCR's audit findings:

  • NPPs must contain all required elements, including, among other requirements, the elements regarding individual rights, and be written in plain language. Covered entities should review the model NPPs on OCR's website for guidance.

  • NPPs should be easily accessed and prominently posted on the covered entity's website. Best practices include providing a link on the homepage that clearly identifies the link to the HIPAA Notice of Privacy Practices, ensuring that the links function and direct the individual to the appropriate privacy guidelines, and that the NPP identifies the correct covered entity that maintains the website, or in the event that separate covered entities participate in an organized health care arrangement, a joint notice is provided that clearly describes with specificity the covered entities, or class of covered entities, to which the joint notice applies.

  • Review individual rights of access documentation, policies, and procedures to evidence and improve the individual records request process. The audit report comes at the tail end of a year that saw OCR vigorously enforce individuals' rights to access and exercise control over their medical records. Right of access compliance will continue to receive attention as OCR recently issued a Notice of Proposed Rulemaking to revise the HIPAA Privacy Rule, which seeks, among other revisions, to expand the right of access. Therefore, covered entities and business associates can expect a continuation of enforcement into infringements of an individual's right to access their individual's health information from OCR in 2021. For covered entities and business associates seeking additional assistance, the Office of the National Coordinator for Health Information Technology has developed aids addressing this specific issue, such as Improving the Health Records Process for Patients.

  • Breach notification letters must be written in plain language and include: a brief description of the breach, including the dates the breach is believed to have occurred and the date the breach was discovered; a description of the PHI involved in the breach; any steps individuals should take to protect themselves from potential harm resulting from the breach; a description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches; and contact information for the covered entity or business associates, as applicable.

  • Conduct a security risk analysis of the potential risks and vulnerabilities to ePHI. Whether conducting the analysis internally or through a third-party vendor, covered entities and business associates are responsible for maintaining an appropriate and current risk analysis consistent with policies, procedures, and changes in the environment, operations, or security incidents. OCR provides helpful resources and links for covered entities and business associates seeking guidance on risk analyses.

  • Implement appropriate risk management strategies. Covered entities and business associates must focus on their security risk analysis findings to inform and link their security plans to the management of identified risks. In an attempt to promote and incentivize compliance with the Security Rule, Congress has proposed legislation, which would effectively create a safe harbor by amending the HITECH Act to require OCR to take into account whether a covered entity or business associate has met the recognized security standards when making determinations regarding enforcement and regulatory actions.

Originally Published by Foley & Lardner, January 2021

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.